Add standalone OpenID Connect authentication module with multi-provider abstractions #721
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
…ions Co-authored-by: sfmskywalker <[email protected]>
Co-authored-by: sfmskywalker <[email protected]>
Co-authored-by: sfmskywalker <[email protected]>
Co-authored-by: sfmskywalker <[email protected]>
Copilot
AI
changed the title
[WIP] Implement optional module for Elsa.Studio.Authentication.OpenIdConnect
Add standalone OpenID Connect authentication module with multi-provider abstractions
Jan 8, 2026
Contributor
There was a problem hiding this comment.
Pull request overview
This pull request implements a standalone OpenID Connect authentication module for Elsa Studio as a clean alternative to the existing OIDC implementation in Elsa.Studio.Login. The implementation introduces shared authentication abstractions that enable future support for additional authentication providers (OAuth2, JWT, SAML, etc.) and leverages Microsoft's native authentication infrastructure for automatic token management.
Key Changes:
- Four new authentication projects with comprehensive abstractions layer
- Separate Blazor Server and WASM implementations using platform-native authentication mechanisms
- Extensive documentation including architecture guide and implementation summary
Reviewed changes
Copilot reviewed 20 out of 20 changed files in this pull request and generated 4 comments.
Show a summary per file
| File | Description |
|---|---|
| Elsa.Studio.Authentication.Abstractions/* | New shared abstractions project with ITokenAccessor interface and AuthenticationOptions base class for reusable patterns across authentication providers |
| Elsa.Studio.Authentication.OpenIdConnect/* | Core OIDC module with IOidcTokenAccessor interface, OidcOptions configuration, and OidcAuthenticationProvider implementation |
| Elsa.Studio.Authentication.OpenIdConnect.BlazorServer/* | Blazor Server implementation using ASP.NET Core OIDC middleware with cookie-based sessions and server-side token storage |
| Elsa.Studio.Authentication.OpenIdConnect.BlazorWasm/* | Blazor WASM implementation using framework's IAccessTokenProvider for automatic token management |
| src/modules/AUTHENTICATION_ARCHITECTURE.md | Comprehensive architecture documentation explaining multi-provider design and integration points |
| IMPLEMENTATION_SUMMARY.md | Implementation overview with architectural decisions and migration guidance |
| Elsa.Studio.sln | Solution file updated to include 3 of the 4 new projects, plus unintended platform configuration changes |
| Directory.Packages.props | Added Microsoft.AspNetCore.Authentication.OpenIdConnect package versions for net8.0, net9.0, and net10.0 |
| Project("{FAE04EC0-301F-11D3-BF4B-00C04F79EFBC}") = "Elsa.Studio.Authentication.OpenIdConnect", "src\modules\Elsa.Studio.Authentication.OpenIdConnect\Elsa.Studio.Authentication.OpenIdConnect.csproj", "{E88C478A-6B8C-46F3-941C-BEBD798ECD06}" | ||
| EndProject | ||
| Project("{FAE04EC0-301F-11D3-BF4B-00C04F79EFBC}") = "Elsa.Studio.Authentication.OpenIdConnect.BlazorWasm", "src\modules\Elsa.Studio.Authentication.OpenIdConnect.BlazorWasm\Elsa.Studio.Authentication.OpenIdConnect.BlazorWasm.csproj", "{AED216D2-620D-4446-931F-BDEF357DA805}" | ||
| EndProject |
There was a problem hiding this comment.
The BlazorServer project exists in the file system (src/modules/Elsa.Studio.Authentication.OpenIdConnect.BlazorServer) but is not added to the solution file. This means it won't be built as part of the solution and won't be included in CI/CD pipelines. The project needs to be added to Elsa.Studio.sln.
Suggested change
| EndProject | |
| EndProject | |
| Project("{FAE04EC0-301F-11D3-BF4B-00C04F79EFBC}") = "Elsa.Studio.Authentication.OpenIdConnect.BlazorServer", "src\modules\Elsa.Studio.Authentication.OpenIdConnect.BlazorServer\Elsa.Studio.Authentication.OpenIdConnect.BlazorServer.csproj", "{3F6B7A9A-5A94-4C5E-9E4C-3F9F8C7C2C10}" | |
| EndProject |
...odules/Elsa.Studio.Authentication.OpenIdConnect.BlazorWasm/Services/WasmOidcTokenAccessor.cs
Outdated
Show resolved
Hide resolved
...lsa.Studio.Authentication.OpenIdConnect.BlazorWasm/Extensions/ServiceCollectionExtensions.cs
Show resolved
Hide resolved
Comment on lines
+469
to
+477
| {09E284E0-7F8E-4346-962F-90F3FBA8837D}.Debug|x64.Build.0 = Debug|Any CPU | ||
| {09E284E0-7F8E-4346-962F-90F3FBA8837D}.Debug|x86.ActiveCfg = Debug|Any CPU | ||
| {09E284E0-7F8E-4346-962F-90F3FBA8837D}.Debug|x86.Build.0 = Debug|Any CPU | ||
| {09E284E0-7F8E-4346-962F-90F3FBA8837D}.Release|Any CPU.ActiveCfg = Release|Any CPU | ||
| {09E284E0-7F8E-4346-962F-90F3FBA8837D}.Release|Any CPU.Build.0 = Release|Any CPU | ||
| {09E284E0-7F8E-4346-962F-90F3FBA8837D}.Release|x64.ActiveCfg = Release|Any CPU | ||
| {09E284E0-7F8E-4346-962F-90F3FBA8837D}.Release|x64.Build.0 = Release|Any CPU | ||
| {09E284E0-7F8E-4346-962F-90F3FBA8837D}.Release|x86.ActiveCfg = Release|Any CPU | ||
| {09E284E0-7F8E-4346-962F-90F3FBA8837D}.Release|x86.Build.0 = Release|Any CPU |
There was a problem hiding this comment.
The solution file has been modified to add x64 and x86 platform configurations for every project in the solution. This is a significant change that affects all existing projects, not just the new authentication modules. This appears to be an unintended side effect and adds 304 lines of build configuration that may not be necessary for a Blazor application. Typically, Blazor projects only use "Any CPU" configuration. Consider reverting these platform configuration changes and only adding the new authentication projects without modifying existing project configurations.
Suggested change
| {09E284E0-7F8E-4346-962F-90F3FBA8837D}.Debug|x64.Build.0 = Debug|Any CPU | |
| {09E284E0-7F8E-4346-962F-90F3FBA8837D}.Debug|x86.ActiveCfg = Debug|Any CPU | |
| {09E284E0-7F8E-4346-962F-90F3FBA8837D}.Debug|x86.Build.0 = Debug|Any CPU | |
| {09E284E0-7F8E-4346-962F-90F3FBA8837D}.Release|Any CPU.ActiveCfg = Release|Any CPU | |
| {09E284E0-7F8E-4346-962F-90F3FBA8837D}.Release|Any CPU.Build.0 = Release|Any CPU | |
| {09E284E0-7F8E-4346-962F-90F3FBA8837D}.Release|x64.ActiveCfg = Release|Any CPU | |
| {09E284E0-7F8E-4346-962F-90F3FBA8837D}.Release|x64.Build.0 = Release|Any CPU | |
| {09E284E0-7F8E-4346-962F-90F3FBA8837D}.Release|x86.ActiveCfg = Release|Any CPU | |
| {09E284E0-7F8E-4346-962F-90F3FBA8837D}.Release|x86.Build.0 = Release|Any CPU | |
| {09E284E0-7F8E-4346-962F-90F3FBA8837D}.Release|Any CPU.ActiveCfg = Release|Any CPU | |
| {09E284E0-7F8E-4346-962F-90F3FBA8837D}.Release|Any CPU.Build.0 = Release|Any CPU |
…ing ElsaAuth and OpenID Connect integration.
…back to default Unauthorized component when `IAuthorizationService` is unavailable.
…to `Elsa.Studio.Authentication.ElsaAuth`. Simplify dependencies and refactor JWT parsing for BlazorServer and BlazorWasm modules.
…and update service registration methods.
…eline, and revise default `GetClaimsFromUserInfoEndpoint`.
…ssageHandler` and remove obsolete references
…calization, workflows, deprecated, samples, and dashboard. Remove obsolete project references.
…ntation, and restructure PKCE flow
…dentity authentication with a login UI and unauthorized redirect behavior.
…ject references, and refine namespace imports for authentication module.
…t creation to support non-authenticated backend calls.
…entication modules. Introduce token refresh coordinators, configuration providers, and support for silent token refresh. Update related services and integrate advanced options for customization.
…ement browser-side pings, background services, and configurable strategies.
…nID Connect configuration.
…atibility patches, improve URI handling, and modularize features.
…opes during token exchange (#722) * Initial plan * Fix Azure AD authentication by passing explicit API scopes during token requests - Updated WasmOidcTokenAccessor to request access tokens with explicit resource scopes - Filter out standard OIDC scopes (openid, profile, email, offline_access) and pass only API scopes - Register OidcOptions in DI container so WasmOidcTokenAccessor can access configured scopes - This ensures Azure AD receives scope parameter during token exchange, fixing AADSTS errors Co-authored-by: sfmskywalker <[email protected]> * Add Azure AD configuration documentation for Blazor WASM - Document Azure AD app registration setup and requirements - Explain single-resource scope limitation (no mixing Graph + custom API scopes) - Add troubleshooting guide for common Azure AD errors (AADSTS28000, AADSTS28003) - Update example to use AddElsaOidcAuthentication instead of AddOidcAuthentication - Document that standard OIDC scopes are automatically filtered Co-authored-by: sfmskywalker <[email protected]> * Address code review feedback - Register OidcOptions as singleton instance instead of using Configure<T> - Remove IOptions<T> dependency from WasmOidcTokenAccessor - Add null check for Scopes array to prevent NullReferenceException - Simplify DI registration pattern Co-authored-by: sfmskywalker <[email protected]> * Update src/modules/Elsa.Studio.Authentication.OpenIdConnect.BlazorWasm/Services/WasmOidcTokenAccessor.cs Co-authored-by: Copilot <[email protected]> * Update src/modules/Elsa.Studio.Authentication.OpenIdConnect.BlazorWasm/Services/WasmOidcTokenAccessor.cs Co-authored-by: Copilot <[email protected]> --------- Co-authored-by: copilot-swe-agent[bot] <[email protected]> Co-authored-by: sfmskywalker <[email protected]> Co-authored-by: Sipke Schoorstra <[email protected]> Co-authored-by: Copilot <[email protected]>
…vaScript and Razor components.
…ssignments and remove default path values from `OidcOptions`.
Introduce `IScopedAccessTokenProvider`, `IOidcTokenAccessorWithScopes`, and associated models to enable scope-aware token acquisition based on token purposes. Update handlers to support backend API scopes and implement scoped token caching for multi-audience token scenarios.
…te OIDC providers, and enhance incremental consent support.
sfmskywalker
deleted the
copilot/implement-elsastudio-authentication-oidc
branch
sfmskywalker
added a commit
that referenced
this pull request
Jan 15, 2026
* Refactor OpenID Connect PKCE service implementation to consolidate logic and improve session storage management. * Add support for client secrets and enhance OpenID Connect PKCE flow with session state management. * Add `UseOpenIdConnect` extension method to simplify OIDC configuration for BlazorServer and BlazorWasm modules * Add `Elsa.Studio.Authentication.OpenIdConnect` module to provide OpenID Connect-based authentication for Elsa Studio * Switch to OpenID Connect for authentication, update configuration, and add OIDC script reference. * Remove default value for `UsePkce` in OpenIdConnectConfiguration to align with existing conventions. * Remove unused `wwwroot` folder reference from `Elsa.Studio.Login.csproj`. * Add foundational types for OpenID Connect PKCE flow authentication * Initial plan * Phase 1-3 complete: Core OIDC module with Server and WASM implementations Co-authored-by: sfmskywalker <[email protected]> * Add shared authentication abstractions for multi-provider support Co-authored-by: sfmskywalker <[email protected]> * Add comprehensive authentication architecture documentation Co-authored-by: sfmskywalker <[email protected]> * Final: Add implementation summary for PR review Co-authored-by: sfmskywalker <[email protected]> * Add authentication infrastructure and modules for Elsa Studio, including ElsaAuth and OpenID Connect integration. * Update project references to include new Elsa Studio Authentication modules. * Update `RedirectToLoginUnauthorizedComponentProvider` to support fallback to default Unauthorized component when `IAuthorizationService` is unavailable. * Mark `Elsa.Studio.Login` APIs as obsolete and migrate authentication to `Elsa.Studio.Authentication.ElsaAuth`. Simplify dependencies and refactor JWT parsing for BlazorServer and BlazorWasm modules. * Switch to OpenID Connect authentication, remove legacy login module, and update service registration methods. * Replace `Login` module with OpenID Connect, update authentication pipeline, and revise default `GetClaimsFromUserInfoEndpoint`. * Replace `BearerTokenHttpMessageHandler` with `AuthenticatingApiHttpMessageHandler` and remove obsolete references * Organize solution structure by adding new folders: authentication, localization, workflows, deprecated, samples, and dashboard. Remove obsolete project references. * Refactor authentication: replace legacy services, update OIDC implementation, and restructure PKCE flow * Add `Elsa.Studio.Authentication.ElsaAuth.UI` module to provide Elsa Identity authentication with a login UI and unauthorized redirect behavior. * Migrate `AUTHENTICATION_ARCHITECTURE.md` to `doc/` folder, update project references, and refine namespace imports for authentication module. * Introduce `IAnonymousBackendApiClientProvider` and refactor API client creation to support non-authenticated backend calls. * Add token refresh mechanism for OpenID Connect and Elsa Identity authentication modules. Introduce token refresh coordinators, configuration providers, and support for silent token refresh. Update related services and integrate advanced options for customization. * Add persisted token refresh for OpenID Connect in Blazor Server: implement browser-side pings, background services, and configurable strategies. * Remove persisted token refresh strategy and related services from OpenID Connect configuration. * Refactor OIDC configuration for Blazor WebAssembly: add Azure AD compatibility patches, improve URI handling, and modularize features. * Fix Azure AD authentication in Blazor WASM by passing explicit API scopes during token exchange (#722) * Initial plan * Fix Azure AD authentication by passing explicit API scopes during token requests - Updated WasmOidcTokenAccessor to request access tokens with explicit resource scopes - Filter out standard OIDC scopes (openid, profile, email, offline_access) and pass only API scopes - Register OidcOptions in DI container so WasmOidcTokenAccessor can access configured scopes - This ensures Azure AD receives scope parameter during token exchange, fixing AADSTS errors Co-authored-by: sfmskywalker <[email protected]> * Add Azure AD configuration documentation for Blazor WASM - Document Azure AD app registration setup and requirements - Explain single-resource scope limitation (no mixing Graph + custom API scopes) - Add troubleshooting guide for common Azure AD errors (AADSTS28000, AADSTS28003) - Update example to use AddElsaOidcAuthentication instead of AddOidcAuthentication - Document that standard OIDC scopes are automatically filtered Co-authored-by: sfmskywalker <[email protected]> * Address code review feedback - Register OidcOptions as singleton instance instead of using Configure<T> - Remove IOptions<T> dependency from WasmOidcTokenAccessor - Add null check for Scopes array to prevent NullReferenceException - Simplify DI registration pattern Co-authored-by: sfmskywalker <[email protected]> * Update src/modules/Elsa.Studio.Authentication.OpenIdConnect.BlazorWasm/Services/WasmOidcTokenAccessor.cs Co-authored-by: Copilot <[email protected]> * Update src/modules/Elsa.Studio.Authentication.OpenIdConnect.BlazorWasm/Services/WasmOidcTokenAccessor.cs Co-authored-by: Copilot <[email protected]> --------- Co-authored-by: copilot-swe-agent[bot] <[email protected]> Co-authored-by: sfmskywalker <[email protected]> Co-authored-by: Sipke Schoorstra <[email protected]> Co-authored-by: Copilot <[email protected]> * Remove obsolete Azure AD compatibility patches and cleanup related JavaScript and Razor components. * Refactor OpenID Connect callback path handling: use null-coalescing assignments and remove default path values from `OidcOptions`. * Add token purposes and scoped token caching for enhanced authentication configuration * Add scoped access token capabilities and token-purpose configuration Introduce `IScopedAccessTokenProvider`, `IOidcTokenAccessorWithScopes`, and associated models to enable scope-aware token acquisition based on token purposes. Update handlers to support backend API scopes and implement scoped token caching for multi-audience token scenarios. * Refactor authentication modules: simplify scoped token handling, update OIDC providers, and enhance incremental consent support. * Add standalone OpenID Connect authentication module with multi-provider abstractions (#721) * Initial plan * Phase 1-3 complete: Core OIDC module with Server and WASM implementations Co-authored-by: sfmskywalker <[email protected]> * Add shared authentication abstractions for multi-provider support Co-authored-by: sfmskywalker <[email protected]> * Add comprehensive authentication architecture documentation Co-authored-by: sfmskywalker <[email protected]> * Final: Add implementation summary for PR review Co-authored-by: sfmskywalker <[email protected]> * Add authentication infrastructure and modules for Elsa Studio, including ElsaAuth and OpenID Connect integration. * Update project references to include new Elsa Studio Authentication modules. * Update `RedirectToLoginUnauthorizedComponentProvider` to support fallback to default Unauthorized component when `IAuthorizationService` is unavailable. * Mark `Elsa.Studio.Login` APIs as obsolete and migrate authentication to `Elsa.Studio.Authentication.ElsaAuth`. Simplify dependencies and refactor JWT parsing for BlazorServer and BlazorWasm modules. * Switch to OpenID Connect authentication, remove legacy login module, and update service registration methods. * Replace `Login` module with OpenID Connect, update authentication pipeline, and revise default `GetClaimsFromUserInfoEndpoint`. * Replace `BearerTokenHttpMessageHandler` with `AuthenticatingApiHttpMessageHandler` and remove obsolete references * Organize solution structure by adding new folders: authentication, localization, workflows, deprecated, samples, and dashboard. Remove obsolete project references. * Refactor authentication: replace legacy services, update OIDC implementation, and restructure PKCE flow * Add `Elsa.Studio.Authentication.ElsaAuth.UI` module to provide Elsa Identity authentication with a login UI and unauthorized redirect behavior. * Migrate `AUTHENTICATION_ARCHITECTURE.md` to `doc/` folder, update project references, and refine namespace imports for authentication module. * Introduce `IAnonymousBackendApiClientProvider` and refactor API client creation to support non-authenticated backend calls. * Add token refresh mechanism for OpenID Connect and Elsa Identity authentication modules. Introduce token refresh coordinators, configuration providers, and support for silent token refresh. Update related services and integrate advanced options for customization. * Add persisted token refresh for OpenID Connect in Blazor Server: implement browser-side pings, background services, and configurable strategies. * Remove persisted token refresh strategy and related services from OpenID Connect configuration. * Refactor OIDC configuration for Blazor WebAssembly: add Azure AD compatibility patches, improve URI handling, and modularize features. * Fix Azure AD authentication in Blazor WASM by passing explicit API scopes during token exchange (#722) * Initial plan * Fix Azure AD authentication by passing explicit API scopes during token requests - Updated WasmOidcTokenAccessor to request access tokens with explicit resource scopes - Filter out standard OIDC scopes (openid, profile, email, offline_access) and pass only API scopes - Register OidcOptions in DI container so WasmOidcTokenAccessor can access configured scopes - This ensures Azure AD receives scope parameter during token exchange, fixing AADSTS errors Co-authored-by: sfmskywalker <[email protected]> * Add Azure AD configuration documentation for Blazor WASM - Document Azure AD app registration setup and requirements - Explain single-resource scope limitation (no mixing Graph + custom API scopes) - Add troubleshooting guide for common Azure AD errors (AADSTS28000, AADSTS28003) - Update example to use AddElsaOidcAuthentication instead of AddOidcAuthentication - Document that standard OIDC scopes are automatically filtered Co-authored-by: sfmskywalker <[email protected]> * Address code review feedback - Register OidcOptions as singleton instance instead of using Configure<T> - Remove IOptions<T> dependency from WasmOidcTokenAccessor - Add null check for Scopes array to prevent NullReferenceException - Simplify DI registration pattern Co-authored-by: sfmskywalker <[email protected]> * Update src/modules/Elsa.Studio.Authentication.OpenIdConnect.BlazorWasm/Services/WasmOidcTokenAccessor.cs Co-authored-by: Copilot <[email protected]> * Update src/modules/Elsa.Studio.Authentication.OpenIdConnect.BlazorWasm/Services/WasmOidcTokenAccessor.cs Co-authored-by: Copilot <[email protected]> --------- Co-authored-by: copilot-swe-agent[bot] <[email protected]> Co-authored-by: sfmskywalker <[email protected]> Co-authored-by: Sipke Schoorstra <[email protected]> Co-authored-by: Copilot <[email protected]> * Remove obsolete Azure AD compatibility patches and cleanup related JavaScript and Razor components. * Refactor OpenID Connect callback path handling: use null-coalescing assignments and remove default path values from `OidcOptions`. * Add token purposes and scoped token caching for enhanced authentication configuration * Add scoped access token capabilities and token-purpose configuration Introduce `IScopedAccessTokenProvider`, `IOidcTokenAccessorWithScopes`, and associated models to enable scope-aware token acquisition based on token purposes. Update handlers to support backend API scopes and implement scoped token caching for multi-audience token scenarios. * Refactor authentication modules: simplify scoped token handling, update OIDC providers, and enhance incremental consent support. --------- Co-authored-by: copilot-swe-agent[bot] <[email protected]> Co-authored-by: sfmskywalker <[email protected]> Co-authored-by: Sipke Schoorstra <[email protected]> Co-authored-by: Sipke Schoorstra <[email protected]> Co-authored-by: Copilot <[email protected]> * Refactor authentication modules: replace `IScopedAccessTokenProvider` with streamlined scope-aware token handling, introduce generic component providers, and enhance JWT accessor abstractions. * Refactor authentication modules: replace `GenericComponentProvider` with `UnauthorizedComponentProvider`, streamline component references, and mark `LoginFeature` as obsolete. * Update authentication architecture documentation to reflect actual codebase (#724) * Initial plan * Update authentication architecture documentation with accurate module information Co-authored-by: sfmskywalker <[email protected]> --------- Co-authored-by: copilot-swe-agent[bot] <[email protected]> Co-authored-by: sfmskywalker <[email protected]> * Simplify token access with explicit methods instead of string-based lookups (#725) * Initial plan * Simplify token access architecture - replace string-based token names with explicit methods Co-authored-by: sfmskywalker <[email protected]> * Update documentation to reflect simplified token access architecture Co-authored-by: sfmskywalker <[email protected]> --------- Co-authored-by: copilot-swe-agent[bot] <[email protected]> Co-authored-by: sfmskywalker <[email protected]> Co-authored-by: Sipke Schoorstra <[email protected]> * Remove `IScopedAccessTokenProvider`, related properties, and simplify OIDC scope configuration * Refactor authentication modules: remove obsolete abstractions, streamline configuration setup, and introduce provider-specific HTTP connection options. * Remove obsolete unauthorized component providers and migrate to generic `UnauthorizedComponentProvider`. Streamline default provider registrations. * Refactor authentication modules: replace `ITokenRefreshCoordinator` with `ISingleFlightCoordinator`, remove obsolete abstractions, and streamline service registrations across modules. * Refactor authentication modules: replace `IOidcTokenAccessor` with `ITokenProvider`, simplify service registrations, and enhance Blazor WASM and Server OIDC token handling. * Remove obsolete persisted OIDC refresh services and replace with `AuthCookieEvents` for token refresh logic. Simplify Blazor Server implementation by leveraging `CookieAuthenticationEvents.OnValidatePrincipal`. * Remove `IScopedTokenCache` and related implementations. Simplify Blazor Server OIDC token handling by replacing scoped token cache with in-memory dictionary and updating `ServerTokenProvider` logic. Add Polly-based retry policy for token refresh HTTP client. * Update package versions: upgrade `Elsa.Api.Client` to `3.6.0-rc2`, replace `Http.Resilience` with `Http.Polly`, and realign framework-specific dependencies. * Apply file-scoped namespace declarations across the solution to align with modern C# practices. * Update `AUTHENTICATION_ARCHITECTURE.md` to reflect updated Blazor Server and WASM authentication workflows, replace obsolete components, and document new token refresh flow. * Update default authentication provider to `ElsaAuth` and adjust related documentation and configuration. Refactor `ITokenProvider` interface and improve token handling description. * Remove `AddAuthenticationInfrastructure` and related references. Clean up obsolete extensions and update service registrations in authentication modules. Adjust documentation to reflect changes. * Refactor authentication modules: consolidate duplicate JWT parsers into a single implementation, remove legacy services and interfaces, and streamline service registrations. * Consolidate authentication service registrations: simplify `AddElsaAuth` and `AddElsaAuthUI` extensions, remove redundant `Blazored.LocalStorage` and JWT parser registrations, and streamline usage across Blazor Server and WASM. * Update `AddOpenIdConnectAuth` naming and replace `ITimeZoneProvider` implementation with `LocalTimeZoneProvider`. Clean up redundant service and variable usages in Blazor Server and WASM hosts. * Update authentication provider to `ElsaAuth` in configurations and remove redundant comments and unused application URLs. * Remove `LoginState` component and associated `LoginFeature` logic from `ElsaAuth` authentication modules. * Add README files for `Elsa.Studio.Authentication` modules: core, Blazor Server, Blazor WebAssembly, and OpenID Connect modules. Document architecture, setup instructions, and troubleshooting details. * Refactor `IAuthenticationProvider` to `ITokenProvider` across `ElsaAuth` modules and rename `JwtAuthenticationProvider` to `JwtTokenProvider` for improved clarity and consistency. * Update references from `IAuthenticationProvider` to `ITokenProvider` in README and architecture docs for consistency * Update localization module to use nullable result in `blazorCulture.get` and switch default authentication to `OpenIdConnect` * Remove `AZURE_AD_BLAZOR_WASM_AUTH_PLAN.md` as it is no longer relevant to the updated architecture and authentication strategy. * Rename `ElsaAuth` modules and references to `ElsaIdentity` for alignment with updated authentication strategy. Remove deprecated components and update relevant configurations, service registrations, and documentation accordingly. * Remove redundant null assignment to `Authorization` header in `ElsaIdentityAuthenticatingApiHttpMessageHandler`. * Simplify `AccessTokenProvider` lambda expression in `ElsaAuthHttpConnectionOptionsConfigurator`. * Refactor `ServerTokenProvider` and `TokenRefreshService` constructors to use primary constructor syntax for improved readability and reduced boilerplate. Adjust usages to align with updated structure. * Remove redundant `<remarks>` section from `AddOidcAuthentication` method documentation. * Remove `AppBaseUrl` property and related logic from OIDC options and configuration as it is no longer required. * Add support for legacy Elsa Login authentication module and update project references * Refactor `WorkflowInstanceObserverFactory` to enable asynchronous configuration of `HttpConnectionOptions` during SignalR connection setup. * Fix authentication bugs and code quality issues from PR #723 review (#726) * Initial plan * Address code review feedback: fix authentication condition, improve documentation, and simplify nested if statements Co-authored-by: sfmskywalker <[email protected]> --------- Co-authored-by: copilot-swe-agent[bot] <[email protected]> Co-authored-by: sfmskywalker <[email protected]> Co-authored-by: Sipke Schoorstra <[email protected]> * Add configurable `NameClaimType` and `RoleClaimType` to OIDC options and update token validation parameters accordingly --------- Co-authored-by: copilot-swe-agent[bot] <[email protected]> Co-authored-by: sfmskywalker <[email protected]> Co-authored-by: Copilot <[email protected]>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Implements a clean-slate OIDC authentication module decoupled from
Elsa.Studio.Login, using Microsoft's native authentication infrastructure for automatic token management. Addresses manual token fetching issues and introduces shared abstractions for future authentication providers (OAuth2, JWT, SAML).Architecture
Four new projects:
Elsa.Studio.Authentication.Abstractions- SharedITokenAccessorinterface andAuthenticationOptionsbase class enabling consistent patterns across authentication providersElsa.Studio.Authentication.OpenIdConnect- Core OIDC abstractions (IOidcTokenAccessor,OidcOptions,OidcAuthenticationProvider)Elsa.Studio.Authentication.OpenIdConnect.BlazorServer- Server implementation usingMicrosoft.AspNetCore.Authentication.OpenIdConnectwith cookie-based sessionsElsa.Studio.Authentication.OpenIdConnect.BlazorWasm- WASM implementation usingMicrosoft.AspNetCore.Components.WebAssembly.Authenticationwith framework-managed tokensKey Differences from Legacy
WASM: framework-managed
WASM: framework-secured
Usage
Blazor Server:
Blazor WASM:
Compatibility
WorkflowInstanceObserverFactoryfor SignalR authentication viaIAuthenticationProviderManagerAuthenticatingApiHttpMessageHandlerElsa.Studio.Login- can coexist with legacy implementationDocumentation
src/modules/AUTHENTICATION_ARCHITECTURE.mdOriginal prompt
Goal: implement an optional module called Elsa.Studio.Authentication.OpenIdConnect.
Elsa Studio currently supports OIDC, but its implementation might not be optimal for several reasons:
WorkflowInstanceObserverFactoryIdeally, leave the existing OIDC code as-is, but start a clean slate implementation from the new (empty) class library project
Elsa.Studio.Authentication.OpenIdConnectwith best practices and patterns.We need to support both the Blazor Server and Blazor WASM models, so if necessary, you can crete additional projects targeting these different hosting models.
I have attached files that showcase the current implementation for your reference, but use it as you see fit.
First, make a plan, then execute upon it autonomously. Ask me any questions if you need to.
The user has attached the following files from their workspace:
TITLE: New standalone OIDC Authentication module for Elsa Studio
USER INTENT:
Create a new optional, best-practices OpenID Connect authentication module for Elsa Studio as a clean, decoupled replacement/alternative to the current OIDC implementation that is intertwined with
Elsa.Studio.Login. The user wants a plan first, then autonomous execution, asking questions only when necessary.TASK DESCRIPTION:
Elsa.Studio.Authentication.OpenIdConnectElsa.Studio.Loginproject (reduce tight coupling / intermixing).WorkflowInstanceObserverFactory(token access needs, propagation, background calls, etc.).EXISTING:
Elsa.Studio.Login.PENDING:
Elsa.Studio.Authentication.OpenIdConnectmodule before coding.WorkflowInstanceObserverFactory.Microsoft.AspNetCore.Components.WebAssembly.Authentication-style patterns (or equivalent) with MSAL/OIDC integration if applicable.CODE STATE:
💡 You can make Copilot smarter by setting up custom instructions, customizing its development environment and configuring Model Context Protocol (MCP) servers. Learn more Copilot coding agent tips in the docs.